[PATCH 0/5] Export the sock's security context to proc

[PATCH 0/5] Export the sock's security context to proc

[rongqing.li]

-------
    Any review would be much appreciated.
 
Comments:
--------
    Export the sock's security context to proc.
    
    The element sk_security of struct sock represents the socket
    security context ID, which is inheriting from the process when
    creates this socket on most of the time.
    
    but when SELinux type_transition rule is applied to socket, or
    application sets /proc/xxx/attr/createsock, the socket security
    context would be different from the creating process. on this
    condition, the "netstat -Z" will return wrong value, since
    "netstat -Z" only returns the process security context as socket
    process security.
    
    Export the raw sock's security context to proc, so that "netstat -Z"
    could be fixed by reading procfs.

Test:
--------
1. When Enable SELinux.


1.1 check the socket security context has been exported in procfs

root@qemu-host:/root> head -n 3 /proc/net/tcp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode   scontext                                          
   0: 00000000:05FE 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 5029 1 ffff88001b8ecc00 100 0 0 10 -1 system_u:system_r:initrc_t:s0-s15:c0.c1023                                                                
   1: 00000000:DBE2 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 4915 1 ffff88001b8ec600 100 0 0 10 -1 system_u:system_r:rpcd_t:s0-s15:c0.c1023                                                              


root@qemu-host:/root> head -n 3 /proc/net/udp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops  scontext                          
   53: 00000000:89F1 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 4912 2 ffff88001e3b49c0 0 system_u:system_r:rpcd_t:s0-s15:c0.c1023        
  172: 00000000:0268 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 4851 2 ffff88001e3b4340 0 system_u:system_r:rpcbind_t:s0-s15:c0.c1023           


root@qemu-host:/root> head -n 3 /proc/net/unix 
Num       RefCount Protocol Flags    Type St Inode Path      scontext
ffff88001ea1cc00: 00000002 00000000 00000000 0002 01   976 @/org/kernel/udev/udevd               system_u:system_r:udev_t:s0-s15:c0.c1023
ffff88001bbe6600: 0000000A 00000000 00000000 0002 01  4740 /dev/log                              system_u:system_r:syslogd_s_t:s15:c0.c1023
root@qemu-host:/root> 


root@qemu-host:/root> head -n 3 /proc/net/raw  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops   scontext
root@qemu-host:/root> 

1.2 check these patches do not affect the netstat, it can still work
root@qemu-host:/root> netstat -a
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address               Foreign Address State      
tcp        0      0 *:1534                      *:* LISTEN      
tcp        0      0 *:56290                     *:* LISTEN      
tcp        0      0 localhost:submission        *:* LISTEN      
tcp        0      0 *:sunrpc                    *:* LISTEN
...

1.3 When syslog creates socket, and type transition has been applied on them, the security context of
socket would be syslogd_s_t, not same as its own process security context
syslogd_t, the "netstat -Z" returns wrong value, but the security context in procfs is correct

root@qemu-host:/etc> cat /proc/net/unix |grep syslog
ffff88001f856000: 00000002 00000000 00010000 0001 01  6385 /var/lib/syslog-ng/syslog-ng.ctl      system_u:system_r:syslogd_t:s15:c0.c1023
ffff88001f856300: 00000002 00000000 00000000 0002 01  6383 /dev/log                              system_u:system_r:syslogd_s_t:s15:c0.c1023
root@qemu-host:/etc> 

root@qemu-host:/etc> netstat -aZ|grep 6383
unix  2      [ ]         DGRAM                    6383   793/syslog-ng
system_u:system_r:syslogd_t:s15:c0.c1023          /dev/log
root@qemu-host:/etc> 



2. When SElinux is disabled

2.1 check the /proc/net/udp information are same as no these patches

root@qemu-host:/root> head -n 3 /proc/net/raw  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops 

root@qemu-host:/root> head -n 3 /proc/net/unix 
Num       RefCount Protocol Flags    Type St Inode Path    
ffff88001d226000: 0000000A 00000000 00000000 0002 01  2661 /dev/log                              
ffff88001ea1cc00: 00000002 00000000 00000000 0002 01   897 @/org/kernel/udev/udevd               

root@qemu-host:/root> head -n 3 /proc/net/tcp  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode                                                     
   0: 00000000:05FE 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 2950 1 ffff88001d294c00 100 0 0 10 -1                     
   1: 0100007F:024B 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 3217 1 ffff88001d295e00 100 0 0 10 -1                     

root@qemu-host:/root> head -n 3 /proc/net/udp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops                                    
   57: 00000000:03F5 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 2772 2 ffff88001d2ac340 0                                 
  122: 00000000:D936 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 2831 2 ffff88001d2acd00 0                                 
root@qemu-host:/root>

[PATCH 0/5] Export the sock's security context to proc

[rongqing.li]

-------
    Any review would be much appreciated.
 
Comments:
--------
    Export the sock's security context to proc.
    
    The element sk_security of struct sock represents the socket
    security context ID, which is inheriting from the process when
    creates this socket on most of the time.
    
    but when SELinux type_transition rule is applied to socket, or
    application sets /proc/xxx/attr/createsock, the socket security
    context would be different from the creating process. on this
    condition, the "netstat -Z" will return wrong value, since
    "netstat -Z" only returns the process security context as socket
    process security.
    
    Export the raw sock's security context to proc, so that "netstat -Z"
    could be fixed by reading procfs.

Test:
--------
1. When Enable SELinux.


1.1 check the socket security context has been exported in procfs

root@qemu-host:/root> head -n 3 /proc/net/tcp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode   scontext                                          
   0: 00000000:05FE 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 5029 1 ffff88001b8ecc00 100 0 0 10 -1 system_u:system_r:initrc_t:s0-s15:c0.c1023                                                                
   1: 00000000:DBE2 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 4915 1 ffff88001b8ec600 100 0 0 10 -1 system_u:system_r:rpcd_t:s0-s15:c0.c1023                                                              


root@qemu-host:/root> head -n 3 /proc/net/udp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops  scontext                          
   53: 00000000:89F1 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 4912 2 ffff88001e3b49c0 0 system_u:system_r:rpcd_t:s0-s15:c0.c1023        
  172: 00000000:0268 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 4851 2 ffff88001e3b4340 0 system_u:system_r:rpcbind_t:s0-s15:c0.c1023           


root@qemu-host:/root> head -n 3 /proc/net/unix 
Num       RefCount Protocol Flags    Type St Inode Path      scontext
ffff88001ea1cc00: 00000002 00000000 00000000 0002 01   976 @/org/kernel/udev/udevd               system_u:system_r:udev_t:s0-s15:c0.c1023
ffff88001bbe6600: 0000000A 00000000 00000000 0002 01  4740 /dev/log                              system_u:system_r:syslogd_s_t:s15:c0.c1023
root@qemu-host:/root> 


root@qemu-host:/root> head -n 3 /proc/net/raw  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops   scontext
root@qemu-host:/root> 

1.2 check these patches do not affect the netstat, it can still work
root@qemu-host:/root> netstat -a
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address               Foreign Address State      
tcp        0      0 *:1534                      *:* LISTEN      
tcp        0      0 *:56290                     *:* LISTEN      
tcp        0      0 localhost:submission        *:* LISTEN      
tcp        0      0 *:sunrpc                    *:* LISTEN
...

1.3 When syslog creates socket, and type transition has been applied on them, the security context of
socket would be syslogd_s_t, not same as its own process security context
syslogd_t, the "netstat -Z" returns wrong value, but the security context in procfs is correct

root@qemu-host:/etc> cat /proc/net/unix |grep syslog
ffff88001f856000: 00000002 00000000 00010000 0001 01  6385 /var/lib/syslog-ng/syslog-ng.ctl      system_u:system_r:syslogd_t:s15:c0.c1023
ffff88001f856300: 00000002 00000000 00000000 0002 01  6383 /dev/log                              system_u:system_r:syslogd_s_t:s15:c0.c1023
root@qemu-host:/etc> 

root@qemu-host:/etc> netstat -aZ|grep 6383
unix  2      [ ]         DGRAM                    6383   793/syslog-ng
system_u:system_r:syslogd_t:s15:c0.c1023          /dev/log
root@qemu-host:/etc> 



2. When SElinux is disabled

2.1 check the /proc/net/udp information are same as no these patches

root@qemu-host:/root> head -n 3 /proc/net/raw  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops 

root@qemu-host:/root> head -n 3 /proc/net/unix 
Num       RefCount Protocol Flags    Type St Inode Path    
ffff88001d226000: 0000000A 00000000 00000000 0002 01  2661 /dev/log                              
ffff88001ea1cc00: 00000002 00000000 00000000 0002 01   897 @/org/kernel/udev/udevd               

root@qemu-host:/root> head -n 3 /proc/net/tcp  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode                                                     
   0: 00000000:05FE 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 2950 1 ffff88001d294c00 100 0 0 10 -1                     
   1: 0100007F:024B 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 3217 1 ffff88001d295e00 100 0 0 10 -1                     

root@qemu-host:/root> head -n 3 /proc/net/udp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops                                    
   57: 00000000:03F5 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 2772 2 ffff88001d2ac340 0                                 
  122: 00000000:D936 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 2831 2 ffff88001d2acd00 0                                 
root@qemu-host:/root>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 1/5] Define the function to write sock's security context to seq_file.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

This function will write the sock's security context to a seq_file
and return the error code, and the number of characters successfully
written is written in int pointers parameter.

This function will be called when export socket information to proc.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 include/net/sock.h |    1 +
 net/core/sock.c    |   26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 0 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h
index 8e4062f..0366ab1 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1828,6 +1828,7 @@ static inline struct sock *skb_steal_sock(struct sk_buff *skb)
 extern void sock_enable_timestamp(struct sock *sk, int flag);
 extern int sock_get_timestamp(struct sock *, struct timeval __user *);
 extern int sock_get_timestampns(struct sock *, struct timespec __user *);
+extern int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len);
 
 /* 
  *	Enable debug/info messages 
diff --git a/net/core/sock.c b/net/core/sock.c
index bc745d0..1126a49 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2254,6 +2254,32 @@ void sk_common_release(struct sock *sk)
 }
 EXPORT_SYMBOL(sk_common_release);
 
+int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len)
+{
+	struct flowi fl;
+	char *ctx = NULL;
+	u32 ctxlen;
+	int res = 0;
+
+	*len = 0;
+
+	if (sk == NULL)
+		return -EINVAL;
+	res = security_socket_getsockname(sk->sk_socket);
+	if (res)
+		return res;
+
+	security_sk_classify_flow(sk, &fl);
+
+	res = security_secid_to_secctx(fl.flowi_secid, &ctx, &ctxlen);
+	if (res)
+		return res;
+
+	seq_printf(seq, " %s%n", ctx, len);
+	security_release_secctx(ctx, ctxlen);
+	return res;
+}
+
 static DEFINE_RWLOCK(proto_list_lock);
 static LIST_HEAD(proto_list);
 
-- 
1.7.1

[PATCH 1/5] Define the function to write sock's security context to seq_file.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

This function will write the sock's security context to a seq_file
and return the error code, and the number of characters successfully
written is written in int pointers parameter.

This function will be called when export socket information to proc.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 include/net/sock.h |    1 +
 net/core/sock.c    |   26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 0 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h
index 8e4062f..0366ab1 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1828,6 +1828,7 @@ static inline struct sock *skb_steal_sock(struct sk_buff *skb)
 extern void sock_enable_timestamp(struct sock *sk, int flag);
 extern int sock_get_timestamp(struct sock *, struct timeval __user *);
 extern int sock_get_timestampns(struct sock *, struct timespec __user *);
+extern int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len);
 
 /* 
  *	Enable debug/info messages 
diff --git a/net/core/sock.c b/net/core/sock.c
index bc745d0..1126a49 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2254,6 +2254,32 @@ void sk_common_release(struct sock *sk)
 }
 EXPORT_SYMBOL(sk_common_release);
 
+int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len)
+{
+	struct flowi fl;
+	char *ctx = NULL;
+	u32 ctxlen;
+	int res = 0;
+
+	*len = 0;
+
+	if (sk == NULL)
+		return -EINVAL;
+	res = security_socket_getsockname(sk->sk_socket);
+	if (res)
+		return res;
+
+	security_sk_classify_flow(sk, &fl);
+
+	res = security_secid_to_secctx(fl.flowi_secid, &ctx, &ctxlen);
+	if (res)
+		return res;
+
+	seq_printf(seq, " %s%n", ctx, len);
+	security_release_secctx(ctx, ctxlen);
+	return res;
+}
+
 static DEFINE_RWLOCK(proto_list_lock);
 static LIST_HEAD(proto_list);
 
-- 
1.7.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 2/5] Export the raw sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

The element sk_security of struct sock represents the socket
security context ID, which is inheriting from the process when
creates this socket on most of the time.

but when SELinux type_transition rule is applied to socket, or
application sets /proc/xxx/attr/createsock, the socket security
context would be different from the creating process. on this
condition, the "netstat -Z" will return wrong value, since
"netstat -Z" only returns the process security context as socket
process security.

Export the raw sock's security context to proc, so that "netstat -Z"
could be fixed by reading procfs.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/ipv4/raw.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 1457acb..645d373 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -972,6 +972,7 @@ EXPORT_SYMBOL_GPL(raw_seq_stop);
 
 static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
 {
+	int sclen;
 	struct inet_sock *inet = inet_sk(sp);
 	__be32 dest = inet->inet_daddr,
 	       src = inet->inet_rcv_saddr;
@@ -979,12 +980,15 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
 	      srcp  = inet->inet_num;
 
 	seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
-		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
+		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d",
 		i, src, srcp, dest, destp, sp->sk_state,
 		sk_wmem_alloc_get(sp),
 		sk_rmem_alloc_get(sp),
 		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
 		atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
+
+	sock_write_secctx(sp, seq, &sclen);
+	seq_putc(seq, '\n');
 }
 
 static int raw_seq_show(struct seq_file *seq, void *v)
@@ -992,7 +996,8 @@ static int raw_seq_show(struct seq_file *seq, void *v)
 	if (v == SEQ_START_TOKEN)
 		seq_printf(seq, "  sl  local_address rem_address   st tx_queue "
 				"rx_queue tr tm->when retrnsmt   uid  timeout "
-				"inode ref pointer drops\n");
+				"inode ref pointer drops %s",
+				(selinux_is_enabled() ? "  scontext\n" : "\n"));
 	else
 		raw_sock_seq_show(seq, v, raw_seq_private(seq)->bucket);
 	return 0;
-- 
1.7.1

[PATCH 2/5] Export the raw sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

The element sk_security of struct sock represents the socket
security context ID, which is inheriting from the process when
creates this socket on most of the time.

but when SELinux type_transition rule is applied to socket, or
application sets /proc/xxx/attr/createsock, the socket security
context would be different from the creating process. on this
condition, the "netstat -Z" will return wrong value, since
"netstat -Z" only returns the process security context as socket
process security.

Export the raw sock's security context to proc, so that "netstat -Z"
could be fixed by reading procfs.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/ipv4/raw.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 1457acb..645d373 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -972,6 +972,7 @@ EXPORT_SYMBOL_GPL(raw_seq_stop);
 
 static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
 {
+	int sclen;
 	struct inet_sock *inet = inet_sk(sp);
 	__be32 dest = inet->inet_daddr,
 	       src = inet->inet_rcv_saddr;
@@ -979,12 +980,15 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
 	      srcp  = inet->inet_num;
 
 	seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
-		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
+		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d",
 		i, src, srcp, dest, destp, sp->sk_state,
 		sk_wmem_alloc_get(sp),
 		sk_rmem_alloc_get(sp),
 		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
 		atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
+
+	sock_write_secctx(sp, seq, &sclen);
+	seq_putc(seq, '\n');
 }
 
 static int raw_seq_show(struct seq_file *seq, void *v)
@@ -992,7 +996,8 @@ static int raw_seq_show(struct seq_file *seq, void *v)
 	if (v == SEQ_START_TOKEN)
 		seq_printf(seq, "  sl  local_address rem_address   st tx_queue "
 				"rx_queue tr tm->when retrnsmt   uid  timeout "
-				"inode ref pointer drops\n");
+				"inode ref pointer drops %s",
+				(selinux_is_enabled() ? "  scontext\n" : "\n"));
 	else
 		raw_sock_seq_show(seq, v, raw_seq_private(seq)->bucket);
 	return 0;
-- 
1.7.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 3/5] Export the udp sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

Export the udp sock's security context to proc, since it maybe
different from the sock's owner process security context.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/ipv4/udp.c |   19 ++++++++++++++-----
 1 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 1b5a193..e64b858 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2089,6 +2089,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
 		int bucket, int *len)
 {
 	struct inet_sock *inet = inet_sk(sp);
+	int sclen;
 	__be32 dest = inet->inet_daddr;
 	__be32 src  = inet->inet_rcv_saddr;
 	__u16 destp	  = ntohs(inet->inet_dport);
@@ -2102,21 +2103,29 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
 		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
 		atomic_read(&sp->sk_refcnt), sp,
 		atomic_read(&sp->sk_drops), len);
+
+	sock_write_secctx(sp, f, &sclen);
+	*len += sclen;
 }
 
 int udp4_seq_show(struct seq_file *seq, void *v)
 {
-	if (v == SEQ_START_TOKEN)
-		seq_printf(seq, "%-127s\n",
+	int len;
+
+	if (v == SEQ_START_TOKEN) {
+		seq_printf(seq,
 			   "  sl  local_address rem_address   st tx_queue "
 			   "rx_queue tr tm->when retrnsmt   uid  timeout "
-			   "inode ref pointer drops");
+			   "inode ref pointer drops%n",
+			   &len);
+		seq_printf(seq, "%-*s\n", 150 - len,
+			   (selinux_is_enabled() ? "  scontext" : ""));
+	}
 	else {
 		struct udp_iter_state *state = seq->private;
-		int len;
 
 		udp4_format_sock(v, seq, state->bucket, &len);
-		seq_printf(seq, "%*s\n", 127 - len, "");
+		seq_printf(seq, "%*s\n", 150 - len, "");
 	}
 	return 0;
 }
-- 
1.7.1

[PATCH 3/5] Export the udp sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

Export the udp sock's security context to proc, since it maybe
different from the sock's owner process security context.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/ipv4/udp.c |   19 ++++++++++++++-----
 1 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 1b5a193..e64b858 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2089,6 +2089,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
 		int bucket, int *len)
 {
 	struct inet_sock *inet = inet_sk(sp);
+	int sclen;
 	__be32 dest = inet->inet_daddr;
 	__be32 src  = inet->inet_rcv_saddr;
 	__u16 destp	  = ntohs(inet->inet_dport);
@@ -2102,21 +2103,29 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
 		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
 		atomic_read(&sp->sk_refcnt), sp,
 		atomic_read(&sp->sk_drops), len);
+
+	sock_write_secctx(sp, f, &sclen);
+	*len += sclen;
 }
 
 int udp4_seq_show(struct seq_file *seq, void *v)
 {
-	if (v == SEQ_START_TOKEN)
-		seq_printf(seq, "%-127s\n",
+	int len;
+
+	if (v == SEQ_START_TOKEN) {
+		seq_printf(seq,
 			   "  sl  local_address rem_address   st tx_queue "
 			   "rx_queue tr tm->when retrnsmt   uid  timeout "
-			   "inode ref pointer drops");
+			   "inode ref pointer drops%n",
+			   &len);
+		seq_printf(seq, "%-*s\n", 150 - len,
+			   (selinux_is_enabled() ? "  scontext" : ""));
+	}
 	else {
 		struct udp_iter_state *state = seq->private;
-		int len;
 
 		udp4_format_sock(v, seq, state->bucket, &len);
-		seq_printf(seq, "%*s\n", 127 - len, "");
+		seq_printf(seq, "%*s\n", 150 - len, "");
 	}
 	return 0;
 }
-- 
1.7.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 4/5] Export the unix sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

Export the unix sock's security context to proc, since it maybe
different from the sock's owner process security context.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/unix/af_unix.c |   15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index ec68e1c..338fa0a 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2239,12 +2239,15 @@ static void unix_seq_stop(struct seq_file *seq, void *v)
 	spin_unlock(&unix_table_lock);
 }
 
+#define OFFSET_PATH_START	40
 static int unix_seq_show(struct seq_file *seq, void *v)
 {
+	int seqlen, offset = OFFSET_PATH_START;
 
 	if (v == SEQ_START_TOKEN)
-		seq_puts(seq, "Num       RefCount Protocol Flags    Type St "
-			 "Inode Path\n");
+		seq_printf(seq, "Num       RefCount Protocol Flags    Type St "
+			 "Inode Path    %s",
+			 (selinux_is_enabled() ? "  scontext\n" : "\n"));
 	else {
 		struct sock *s = v;
 		struct unix_sock *u = unix_sk(s);
@@ -2275,7 +2278,15 @@ static int unix_seq_show(struct seq_file *seq, void *v)
 			}
 			for ( ; i < len; i++)
 				seq_putc(seq, u->addr->name->sun_path[i]);
+			if (offset > len)
+				offset -= (len + 1);
+			else
+				offset = 0;
 		}
+
+		seq_printf(seq, "%*c", offset, '\b');
+		sock_write_secctx(s, seq, &seqlen);
+
 		unix_state_unlock(s);
 		seq_putc(seq, '\n');
 	}
-- 
1.7.1

[PATCH 4/5] Export the unix sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

Export the unix sock's security context to proc, since it maybe
different from the sock's owner process security context.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/unix/af_unix.c |   15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index ec68e1c..338fa0a 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2239,12 +2239,15 @@ static void unix_seq_stop(struct seq_file *seq, void *v)
 	spin_unlock(&unix_table_lock);
 }
 
+#define OFFSET_PATH_START	40
 static int unix_seq_show(struct seq_file *seq, void *v)
 {
+	int seqlen, offset = OFFSET_PATH_START;
 
 	if (v == SEQ_START_TOKEN)
-		seq_puts(seq, "Num       RefCount Protocol Flags    Type St "
-			 "Inode Path\n");
+		seq_printf(seq, "Num       RefCount Protocol Flags    Type St "
+			 "Inode Path    %s",
+			 (selinux_is_enabled() ? "  scontext\n" : "\n"));
 	else {
 		struct sock *s = v;
 		struct unix_sock *u = unix_sk(s);
@@ -2275,7 +2278,15 @@ static int unix_seq_show(struct seq_file *seq, void *v)
 			}
 			for ( ; i < len; i++)
 				seq_putc(seq, u->addr->name->sun_path[i]);
+			if (offset > len)
+				offset -= (len + 1);
+			else
+				offset = 0;
 		}
+
+		seq_printf(seq, "%*c", offset, '\b');
+		sock_write_secctx(s, seq, &seqlen);
+
 		unix_state_unlock(s);
 		seq_putc(seq, '\n');
 	}
-- 
1.7.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 5/5] Export the tcp sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

Export the tcp sock's security context to proc, since it maybe
different from the sock's owner process security context.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/ipv4/tcp_ipv4.c |   15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 955b8e6..98a85d6 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2478,13 +2478,16 @@ static void get_timewait4_sock(struct inet_timewait_sock *tw,
 static int tcp4_seq_show(struct seq_file *seq, void *v)
 {
 	struct tcp_iter_state *st;
-	int len;
+	int len, sclen;
+	struct sock *s = NULL;
 
 	if (v == SEQ_START_TOKEN) {
-		seq_printf(seq, "%-*s\n", TMPSZ - 1,
+		seq_printf(seq,
 			   "  sl  local_address rem_address   st tx_queue "
 			   "rx_queue tr tm->when retrnsmt   uid  timeout "
-			   "inode");
+			   "inode %n", &len);
+		seq_printf(seq, "%-*s\n", TMPSZ - len - 1,
+			   (selinux_is_enabled() ? "  scontext" : ""));
 		goto out;
 	}
 	st = seq->private;
@@ -2493,15 +2496,19 @@ static int tcp4_seq_show(struct seq_file *seq, void *v)
 	case TCP_SEQ_STATE_LISTENING:
 	case TCP_SEQ_STATE_ESTABLISHED:
 		get_tcp4_sock(v, seq, st->num, &len);
+		s = v;
 		break;
 	case TCP_SEQ_STATE_OPENREQ:
 		get_openreq4(st->syn_wait_sk, v, seq, st->num, st->uid, &len);
+		s = st->syn_wait_sk;
 		break;
 	case TCP_SEQ_STATE_TIME_WAIT:
 		get_timewait4_sock(v, seq, st->num, &len);
 		break;
 	}
-	seq_printf(seq, "%*s\n", TMPSZ - 1 - len, "");
+
+	sock_write_secctx(s, seq, &sclen);
+	seq_printf(seq, "%*s\n", TMPSZ + sclen - 1 - len, "");
 out:
 	return 0;
 }
-- 
1.7.1

[PATCH 5/5] Export the tcp sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

Export the tcp sock's security context to proc, since it maybe
different from the sock's owner process security context.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/ipv4/tcp_ipv4.c |   15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 955b8e6..98a85d6 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2478,13 +2478,16 @@ static void get_timewait4_sock(struct inet_timewait_sock *tw,
 static int tcp4_seq_show(struct seq_file *seq, void *v)
 {
 	struct tcp_iter_state *st;
-	int len;
+	int len, sclen;
+	struct sock *s = NULL;
 
 	if (v == SEQ_START_TOKEN) {
-		seq_printf(seq, "%-*s\n", TMPSZ - 1,
+		seq_printf(seq,
 			   "  sl  local_address rem_address   st tx_queue "
 			   "rx_queue tr tm->when retrnsmt   uid  timeout "
-			   "inode");
+			   "inode %n", &len);
+		seq_printf(seq, "%-*s\n", TMPSZ - len - 1,
+			   (selinux_is_enabled() ? "  scontext" : ""));
 		goto out;
 	}
 	st = seq->private;
@@ -2493,15 +2496,19 @@ static int tcp4_seq_show(struct seq_file *seq, void *v)
 	case TCP_SEQ_STATE_LISTENING:
 	case TCP_SEQ_STATE_ESTABLISHED:
 		get_tcp4_sock(v, seq, st->num, &len);
+		s = v;
 		break;
 	case TCP_SEQ_STATE_OPENREQ:
 		get_openreq4(st->syn_wait_sk, v, seq, st->num, st->uid, &len);
+		s = st->syn_wait_sk;
 		break;
 	case TCP_SEQ_STATE_TIME_WAIT:
 		get_timewait4_sock(v, seq, st->num, &len);
 		break;
 	}
-	seq_printf(seq, "%*s\n", TMPSZ - 1 - len, "");
+
+	sock_write_secctx(s, seq, &sclen);
+	seq_printf(seq, "%*s\n", TMPSZ + sclen - 1 - len, "");
 out:
 	return 0;
 }
-- 
1.7.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/5] Define the function to write sock's security context to seq_file.

[Stephen Smalley]

On Fri, 2011-08-05 at 16:58 +0800, rongqing.li-CWA4WttNNZF54TAoqtyWWQ@public.gmane.org wrote:
> From: Roy.Li <rongqing.li-CWA4WttNNZF54TAoqtyWWQ@public.gmane.org>
> 
> This function will write the sock's security context to a seq_file
> and return the error code, and the number of characters successfully
> written is written in int pointers parameter.
> 
> This function will be called when export socket information to proc.
> 
> Signed-off-by: Roy.Li <rongqing.li-CWA4WttNNZF54TAoqtyWWQ@public.gmane.org>
> ---
>  include/net/sock.h |    1 +
>  net/core/sock.c    |   26 ++++++++++++++++++++++++++
>  2 files changed, 27 insertions(+), 0 deletions(-)
> 

> diff --git a/net/core/sock.c b/net/core/sock.c
> index bc745d0..1126a49 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -2254,6 +2254,32 @@ void sk_common_release(struct sock *sk)
>  }
>  EXPORT_SYMBOL(sk_common_release);
>  
> +int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len)
> +{
> +	struct flowi fl;
> +	char *ctx = NULL;
> +	u32 ctxlen;
> +	int res = 0;
> +
> +	*len = 0;
> +
> +	if (sk == NULL)
> +		return -EINVAL;
> +	res = security_socket_getsockname(sk->sk_socket);
> +	if (res)
> +		return res;
> +
> +	security_sk_classify_flow(sk, &fl);

Rather than using a fake flowi, just define and use
security_sk_getsecid().  There is already a security_ops->sk_getsecid()
hook, so you just need the wrapper function.

> +
> +	res = security_secid_to_secctx(fl.flowi_secid, &ctx, &ctxlen);
> +	if (res)
> +		return res;
> +
> +	seq_printf(seq, " %s%n", ctx, len);
> +	security_release_secctx(ctx, ctxlen);
> +	return res;
> +}
> +
>  static DEFINE_RWLOCK(proto_list_lock);
>  static LIST_HEAD(proto_list);
>  

-- 
Stephen Smalley
National Security Agency

Re: [PATCH 1/5] Define the function to write sock's security context to seq_file.

[Stephen Smalley]

On Fri, 2011-08-05 at 16:58 +0800, rongqing.li@windriver.com wrote:
> From: Roy.Li <rongqing.li@windriver.com>
> 
> This function will write the sock's security context to a seq_file
> and return the error code, and the number of characters successfully
> written is written in int pointers parameter.
> 
> This function will be called when export socket information to proc.
> 
> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
> ---
>  include/net/sock.h |    1 +
>  net/core/sock.c    |   26 ++++++++++++++++++++++++++
>  2 files changed, 27 insertions(+), 0 deletions(-)
> 

> diff --git a/net/core/sock.c b/net/core/sock.c
> index bc745d0..1126a49 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -2254,6 +2254,32 @@ void sk_common_release(struct sock *sk)
>  }
>  EXPORT_SYMBOL(sk_common_release);
>  
> +int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len)
> +{
> +	struct flowi fl;
> +	char *ctx = NULL;
> +	u32 ctxlen;
> +	int res = 0;
> +
> +	*len = 0;
> +
> +	if (sk == NULL)
> +		return -EINVAL;
> +	res = security_socket_getsockname(sk->sk_socket);
> +	if (res)
> +		return res;
> +
> +	security_sk_classify_flow(sk, &fl);

Rather than using a fake flowi, just define and use
security_sk_getsecid().  There is already a security_ops->sk_getsecid()
hook, so you just need the wrapper function.

> +
> +	res = security_secid_to_secctx(fl.flowi_secid, &ctx, &ctxlen);
> +	if (res)
> +		return res;
> +
> +	seq_printf(seq, " %s%n", ctx, len);
> +	security_release_secctx(ctx, ctxlen);
> +	return res;
> +}
> +
>  static DEFINE_RWLOCK(proto_list_lock);
>  static LIST_HEAD(proto_list);
>  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 2/5] Export the raw sock's security context to proc.

[Stephen Smalley]

On Fri, 2011-08-05 at 16:58 +0800, rongqing.li@windriver.com wrote:
> From: Roy.Li <rongqing.li@windriver.com>
> 
> The element sk_security of struct sock represents the socket
> security context ID, which is inheriting from the process when
> creates this socket on most of the time.
> 
> but when SELinux type_transition rule is applied to socket, or
> application sets /proc/xxx/attr/createsock, the socket security
> context would be different from the creating process. on this
> condition, the "netstat -Z" will return wrong value, since
> "netstat -Z" only returns the process security context as socket
> process security.
> 
> Export the raw sock's security context to proc, so that "netstat -Z"
> could be fixed by reading procfs.
> 
> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
> ---
>  net/ipv4/raw.c |    9 +++++++--
>  1 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
> index 1457acb..645d373 100644
> --- a/net/ipv4/raw.c
> +++ b/net/ipv4/raw.c
> @@ -972,6 +972,7 @@ EXPORT_SYMBOL_GPL(raw_seq_stop);
>  
>  static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
>  {
> +	int sclen;
>  	struct inet_sock *inet = inet_sk(sp);
>  	__be32 dest = inet->inet_daddr,
>  	       src = inet->inet_rcv_saddr;
> @@ -979,12 +980,15 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
>  	      srcp  = inet->inet_num;
>  
>  	seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
> -		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
> +		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d",
>  		i, src, srcp, dest, destp, sp->sk_state,
>  		sk_wmem_alloc_get(sp),
>  		sk_rmem_alloc_get(sp),
>  		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
>  		atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
> +
> +	sock_write_secctx(sp, seq, &sclen);

You don't seem to use the return value or the sclen.  If that's
intentional, then why does sclen exist and why isn't the function void?

> +	seq_putc(seq, '\n');
>  }
>  
>  static int raw_seq_show(struct seq_file *seq, void *v)
> @@ -992,7 +996,8 @@ static int raw_seq_show(struct seq_file *seq, void *v)
>  	if (v == SEQ_START_TOKEN)
>  		seq_printf(seq, "  sl  local_address rem_address   st tx_queue "
>  				"rx_queue tr tm->when retrnsmt   uid  timeout "
> -				"inode ref pointer drops\n");
> +				"inode ref pointer drops %s",
> +				(selinux_is_enabled() ? "  scontext\n" : "\n"));

The rest of your code isn't SELinux-specific and should work for other
security modules, so there is no reason to make this SELinux-specific
either.  The audit system may provide a useful example.  I'd just always
include the field header (otherwise how can we add any further fields
unambiguously?), and make it something more general, like "seclabel".

>  	else
>  		raw_sock_seq_show(seq, v, raw_seq_private(seq)->bucket);
>  	return 0;

-- 
Stephen Smalley
National Security Agency

Re: [PATCH 2/5] Export the raw sock's security context to proc.

[Stephen Smalley]

On Fri, 2011-08-05 at 16:58 +0800, rongqing.li@windriver.com wrote:
> From: Roy.Li <rongqing.li@windriver.com>
> 
> The element sk_security of struct sock represents the socket
> security context ID, which is inheriting from the process when
> creates this socket on most of the time.
> 
> but when SELinux type_transition rule is applied to socket, or
> application sets /proc/xxx/attr/createsock, the socket security
> context would be different from the creating process. on this
> condition, the "netstat -Z" will return wrong value, since
> "netstat -Z" only returns the process security context as socket
> process security.
> 
> Export the raw sock's security context to proc, so that "netstat -Z"
> could be fixed by reading procfs.
> 
> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
> ---
>  net/ipv4/raw.c |    9 +++++++--
>  1 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
> index 1457acb..645d373 100644
> --- a/net/ipv4/raw.c
> +++ b/net/ipv4/raw.c
> @@ -972,6 +972,7 @@ EXPORT_SYMBOL_GPL(raw_seq_stop);
>  
>  static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
>  {
> +	int sclen;
>  	struct inet_sock *inet = inet_sk(sp);
>  	__be32 dest = inet->inet_daddr,
>  	       src = inet->inet_rcv_saddr;
> @@ -979,12 +980,15 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
>  	      srcp  = inet->inet_num;
>  
>  	seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
> -		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
> +		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d",
>  		i, src, srcp, dest, destp, sp->sk_state,
>  		sk_wmem_alloc_get(sp),
>  		sk_rmem_alloc_get(sp),
>  		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
>  		atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
> +
> +	sock_write_secctx(sp, seq, &sclen);

You don't seem to use the return value or the sclen.  If that's
intentional, then why does sclen exist and why isn't the function void?

> +	seq_putc(seq, '\n');
>  }
>  
>  static int raw_seq_show(struct seq_file *seq, void *v)
> @@ -992,7 +996,8 @@ static int raw_seq_show(struct seq_file *seq, void *v)
>  	if (v == SEQ_START_TOKEN)
>  		seq_printf(seq, "  sl  local_address rem_address   st tx_queue "
>  				"rx_queue tr tm->when retrnsmt   uid  timeout "
> -				"inode ref pointer drops\n");
> +				"inode ref pointer drops %s",
> +				(selinux_is_enabled() ? "  scontext\n" : "\n"));

The rest of your code isn't SELinux-specific and should work for other
security modules, so there is no reason to make this SELinux-specific
either.  The audit system may provide a useful example.  I'd just always
include the field header (otherwise how can we add any further fields
unambiguously?), and make it something more general, like "seclabel".

>  	else
>  		raw_sock_seq_show(seq, v, raw_seq_private(seq)->bucket);
>  	return 0;

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/5] Define the function to write sock's security context to seq_file.

[Stephen Smalley]

On Fri, 2011-08-05 at 16:58 +0800, rongqing.li@windriver.com wrote:
> From: Roy.Li <rongqing.li@windriver.com>
> 
> This function will write the sock's security context to a seq_file
> and return the error code, and the number of characters successfully
> written is written in int pointers parameter.
> 
> This function will be called when export socket information to proc.
> 
> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
> ---
>  include/net/sock.h |    1 +
>  net/core/sock.c    |   26 ++++++++++++++++++++++++++
>  2 files changed, 27 insertions(+), 0 deletions(-)

> diff --git a/net/core/sock.c b/net/core/sock.c
> index bc745d0..1126a49 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -2254,6 +2254,32 @@ void sk_common_release(struct sock *sk)
>  }
>  EXPORT_SYMBOL(sk_common_release);
>  
> +int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len)
> +{
> +	struct flowi fl;
> +	char *ctx = NULL;
> +	u32 ctxlen;
> +	int res = 0;
> +
> +	*len = 0;
> +
> +	if (sk == NULL)
> +		return -EINVAL;

Is this ever possible?

> +	res = security_socket_getsockname(sk->sk_socket);
> +	if (res)
> +		return res;

I'm not sure it is a good idea to output nothing if permission is denied
to the socket, as opposed to some well-defined string indicating that
condition.  Particularly if someone later adds another field to
the /proc files after the context; we don't want the contents of that
field to be interpreted as the context if permission was denied.

> +
> +	security_sk_classify_flow(sk, &fl);
> +
> +	res = security_secid_to_secctx(fl.flowi_secid, &ctx, &ctxlen);
> +	if (res)
> +		return res;

Likewise, if we couldn't map the secid to a secctx for some reason, we
likely ought to output some well-defined string indicating that
condition.

> +
> +	seq_printf(seq, " %s%n", ctx, len);
> +	security_release_secctx(ctx, ctxlen);
> +	return res;
> +}
> +
>  static DEFINE_RWLOCK(proto_list_lock);
>  static LIST_HEAD(proto_list);
>  

-- 
Stephen Smalley
National Security Agency

Re: [PATCH 1/5] Define the function to write sock's security context to seq_file.

[Stephen Smalley]

On Fri, 2011-08-05 at 16:58 +0800, rongqing.li@windriver.com wrote:
> From: Roy.Li <rongqing.li@windriver.com>
> 
> This function will write the sock's security context to a seq_file
> and return the error code, and the number of characters successfully
> written is written in int pointers parameter.
> 
> This function will be called when export socket information to proc.
> 
> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
> ---
>  include/net/sock.h |    1 +
>  net/core/sock.c    |   26 ++++++++++++++++++++++++++
>  2 files changed, 27 insertions(+), 0 deletions(-)

> diff --git a/net/core/sock.c b/net/core/sock.c
> index bc745d0..1126a49 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -2254,6 +2254,32 @@ void sk_common_release(struct sock *sk)
>  }
>  EXPORT_SYMBOL(sk_common_release);
>  
> +int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len)
> +{
> +	struct flowi fl;
> +	char *ctx = NULL;
> +	u32 ctxlen;
> +	int res = 0;
> +
> +	*len = 0;
> +
> +	if (sk == NULL)
> +		return -EINVAL;

Is this ever possible?

> +	res = security_socket_getsockname(sk->sk_socket);
> +	if (res)
> +		return res;

I'm not sure it is a good idea to output nothing if permission is denied
to the socket, as opposed to some well-defined string indicating that
condition.  Particularly if someone later adds another field to
the /proc files after the context; we don't want the contents of that
field to be interpreted as the context if permission was denied.

> +
> +	security_sk_classify_flow(sk, &fl);
> +
> +	res = security_secid_to_secctx(fl.flowi_secid, &ctx, &ctxlen);
> +	if (res)
> +		return res;

Likewise, if we couldn't map the secid to a secctx for some reason, we
likely ought to output some well-defined string indicating that
condition.

> +
> +	seq_printf(seq, " %s%n", ctx, len);
> +	security_release_secctx(ctx, ctxlen);
> +	return res;
> +}
> +
>  static DEFINE_RWLOCK(proto_list_lock);
>  static LIST_HEAD(proto_list);
>  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/5] Define the function to write sock's security context to seq_file.

[Rongqing Li]

On 08/05/2011 09:56 PM, Stephen Smalley wrote:
> On Fri, 2011-08-05 at 16:58 +0800, rongqing.li@windriver.com wrote:
>> From: Roy.Li<rongqing.li@windriver.com>
>>
>> This function will write the sock's security context to a seq_file
>> and return the error code, and the number of characters successfully
>> written is written in int pointers parameter.
>>
>> This function will be called when export socket information to proc.
>>
>> Signed-off-by: Roy.Li<rongqing.li@windriver.com>
>> ---
>>   include/net/sock.h |    1 +
>>   net/core/sock.c    |   26 ++++++++++++++++++++++++++
>>   2 files changed, 27 insertions(+), 0 deletions(-)
>
>> diff --git a/net/core/sock.c b/net/core/sock.c
>> index bc745d0..1126a49 100644
>> --- a/net/core/sock.c
>> +++ b/net/core/sock.c
>> @@ -2254,6 +2254,32 @@ void sk_common_release(struct sock *sk)
>>   }
>>   EXPORT_SYMBOL(sk_common_release);
>>
>> +int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len)
>> +{
>> +	struct flowi fl;
>> +	char *ctx = NULL;
>> +	u32 ctxlen;
>> +	int res = 0;
>> +
>> +	*len = 0;
>> +
>> +	if (sk == NULL)
>> +		return -EINVAL;
>
> Is this ever possible?
>
Hi Stephen:

When output the tcp information to proc by tcp4_seq_show and
tcp state is TCP_SEQ_STATE_TIME_WAIT, the input argument v is
struct inet_timewait_sock, it seem we can not get the struct sock
from struct inet_timewait_sock, so I assume the sk is NULL in that
condition.

static int tcp4_seq_show(struct seq_file *seq, void *v)
{

        case TCP_SEQ_STATE_TIME_WAIT:
                 get_timewait4_sock(v, seq, st->num, &len);
                 break;
         }
}


>> +	res = security_socket_getsockname(sk->sk_socket);
>> +	if (res)
>> +		return res;
>
> I'm not sure it is a good idea to output nothing if permission is denied
> to the socket, as opposed to some well-defined string indicating that
> condition.  Particularly if someone later adds another field to
> the /proc files after the context; we don't want the contents of that
> field to be interpreted as the context if permission was denied.
>

 From your review, I redesign the output information as below.

when disable SELinux, print "(none)" in proc
when enable  SELinux, no error on getting security context, print the 
real security context
when enable  SELinux, there is error on getting security context, print 
"??"

Do you think it is OK?

Thanks very much

-Roy

>> +
>> +	security_sk_classify_flow(sk,&fl);
>> +
>> +	res = security_secid_to_secctx(fl.flowi_secid,&ctx,&ctxlen);
>> +	if (res)
>> +		return res;
>
> Likewise, if we couldn't map the secid to a secctx for some reason, we
> likely ought to output some well-defined string indicating that
> condition.
>
>> +
>> +	seq_printf(seq, " %s%n", ctx, len);
>> +	security_release_secctx(ctx, ctxlen);
>> +	return res;
>> +}
>> +
>>   static DEFINE_RWLOCK(proto_list_lock);
>>   static LIST_HEAD(proto_list);
>>
>

-- 
Best Reagrds,
Roy | RongQing Li

Re: [PATCH 1/5] Define the function to write sock's security context to seq_file.

[Rongqing Li]

On 08/05/2011 09:56 PM, Stephen Smalley wrote:
> On Fri, 2011-08-05 at 16:58 +0800, rongqing.li@windriver.com wrote:
>> From: Roy.Li<rongqing.li@windriver.com>
>>
>> This function will write the sock's security context to a seq_file
>> and return the error code, and the number of characters successfully
>> written is written in int pointers parameter.
>>
>> This function will be called when export socket information to proc.
>>
>> Signed-off-by: Roy.Li<rongqing.li@windriver.com>
>> ---
>>   include/net/sock.h |    1 +
>>   net/core/sock.c    |   26 ++++++++++++++++++++++++++
>>   2 files changed, 27 insertions(+), 0 deletions(-)
>
>> diff --git a/net/core/sock.c b/net/core/sock.c
>> index bc745d0..1126a49 100644
>> --- a/net/core/sock.c
>> +++ b/net/core/sock.c
>> @@ -2254,6 +2254,32 @@ void sk_common_release(struct sock *sk)
>>   }
>>   EXPORT_SYMBOL(sk_common_release);
>>
>> +int sock_write_secctx(struct sock *sk, struct seq_file *seq, int *len)
>> +{
>> +	struct flowi fl;
>> +	char *ctx = NULL;
>> +	u32 ctxlen;
>> +	int res = 0;
>> +
>> +	*len = 0;
>> +
>> +	if (sk == NULL)
>> +		return -EINVAL;
>
> Is this ever possible?
>
Hi Stephen:

When output the tcp information to proc by tcp4_seq_show and
tcp state is TCP_SEQ_STATE_TIME_WAIT, the input argument v is
struct inet_timewait_sock, it seem we can not get the struct sock
from struct inet_timewait_sock, so I assume the sk is NULL in that
condition.

static int tcp4_seq_show(struct seq_file *seq, void *v)
{

        case TCP_SEQ_STATE_TIME_WAIT:
                 get_timewait4_sock(v, seq, st->num, &len);
                 break;
         }
}


>> +	res = security_socket_getsockname(sk->sk_socket);
>> +	if (res)
>> +		return res;
>
> I'm not sure it is a good idea to output nothing if permission is denied
> to the socket, as opposed to some well-defined string indicating that
> condition.  Particularly if someone later adds another field to
> the /proc files after the context; we don't want the contents of that
> field to be interpreted as the context if permission was denied.
>

 From your review, I redesign the output information as below.

when disable SELinux, print "(none)" in proc
when enable  SELinux, no error on getting security context, print the 
real security context
when enable  SELinux, there is error on getting security context, print 
"??"

Do you think it is OK?

Thanks very much

-Roy

>> +
>> +	security_sk_classify_flow(sk,&fl);
>> +
>> +	res = security_secid_to_secctx(fl.flowi_secid,&ctx,&ctxlen);
>> +	if (res)
>> +		return res;
>
> Likewise, if we couldn't map the secid to a secctx for some reason, we
> likely ought to output some well-defined string indicating that
> condition.
>
>> +
>> +	seq_printf(seq, " %s%n", ctx, len);
>> +	security_release_secctx(ctx, ctxlen);
>> +	return res;
>> +}
>> +
>>   static DEFINE_RWLOCK(proto_list_lock);
>>   static LIST_HEAD(proto_list);
>>
>

-- 
Best Reagrds,
Roy | RongQing Li

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/5] Define the function to write sock's security context to seq_file.

[Stephen Smalley]

On Mon, 2011-08-08 at 17:32 +0800, Rongqing Li wrote:
> On 08/05/2011 09:56 PM, Stephen Smalley wrote:
> > I'm not sure it is a good idea to output nothing if permission is denied
> > to the socket, as opposed to some well-defined string indicating that
> > condition.  Particularly if someone later adds another field to
> > the /proc files after the context; we don't want the contents of that
> > field to be interpreted as the context if permission was denied.
> >
> 
>  From your review, I redesign the output information as below.
> 
> when disable SELinux, print "(none)" in proc
> when enable  SELinux, no error on getting security context, print the 
> real security context
> when enable  SELinux, there is error on getting security context, print 
> "??"
> 
> Do you think it is OK?

It appears that netstat presently displays a "-" if it cannot obtain the
security context or pid/program name information, so perhaps you should
follow that convention whenever you cannot obtain a security context
regardless of the particular reason. Note that your logic shouldn't be
based on whether or not SELinux is enabled/disabled per se, but rather
based on whether the security module provides security contexts, which
can be determined by checking whether the secid is set to a non-zero
value by security_sk_getsecid().  The audit system (kernel/audit*.c)
uses similar logic to decide whether or not to log task security
contexts.

-- 
Stephen Smalley
National Security Agency

Re: [PATCH 1/5] Define the function to write sock's security context to seq_file.

[Stephen Smalley]

On Mon, 2011-08-08 at 17:32 +0800, Rongqing Li wrote:
> On 08/05/2011 09:56 PM, Stephen Smalley wrote:
> > I'm not sure it is a good idea to output nothing if permission is denied
> > to the socket, as opposed to some well-defined string indicating that
> > condition.  Particularly if someone later adds another field to
> > the /proc files after the context; we don't want the contents of that
> > field to be interpreted as the context if permission was denied.
> >
> 
>  From your review, I redesign the output information as below.
> 
> when disable SELinux, print "(none)" in proc
> when enable  SELinux, no error on getting security context, print the 
> real security context
> when enable  SELinux, there is error on getting security context, print 
> "??"
> 
> Do you think it is OK?

It appears that netstat presently displays a "-" if it cannot obtain the
security context or pid/program name information, so perhaps you should
follow that convention whenever you cannot obtain a security context
regardless of the particular reason. Note that your logic shouldn't be
based on whether or not SELinux is enabled/disabled per se, but rather
based on whether the security module provides security contexts, which
can be determined by checking whether the secid is set to a non-zero
value by security_sk_getsecid().  The audit system (kernel/audit*.c)
uses similar logic to decide whether or not to log task security
contexts.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.